In this this series of articles and videos I will explore some PHP malware code that has been publicly published. All the samples discussed are derived from a GitHub repository maintained by marcocesarato.
You can read the full blog article here:
www.ripplesoftware.ca/php-mal...
The advice from Ripple Software Consulting is to always maintain solid web-server security through hardened configuration and monitoring, and vulnerability scanning both internal and external surfaces with a tool such as CISOfy’s Lynis or Greenbone’s GVM. For an example of solid LAMP stack server security you can visit the RSRC’s VPS Deploy WordPress GitHub repository which is a tool for automatically deploying a WordPress website on a hardened Linux VPS Server. If you don’t want to secure your own WordPress installation, you can hire a trained security consultant such as Ripple Software, or you can use another 3rd party managed hosting provider.
PHP is a scripting language which means its source code is usually in human readable format. PHP does not need to be manually compiled and is done by the PHP interpreter. This makes the challenge of hunting PHP malware in your website easier than compiled languages, but can still be very challenging. Other scripting languages include Python, Bash, JavaScript, and Perl. PHP represents approximately 79% of the internet’s websites, and the most popular content management site (CMS) framework WordPress is written in PHP.
In Part 1, below we will look at the source code for simple web-shells. In Part 2 we will look at how attackers will encode or encrypt the payload code, making it easier to find by threat hunters.
Part 1 - Simple WebShells
Let’s gain an understanding of what a web-shell is and take a look at some simple web-shells. Firstly, a web-shell is a malicious piece of code installed within your website code that allows an unwanted attacker to execute system commands or arbitrary PHP functions. This allows an attacker to ingress files from an external source, egress files from the server, modify existing web-application source code files or other system files, and add malicious scheduled events to the server.
In order to have the commands executed, the web-shell code must be placed somewhere specific in the source code that will be either executed on every page load, or contained within a single page. The best place would depend on the type of web-shell used as we will discuss in the samples below. Commands will execute at the permission level of the server service application (Apache, Nginx) although other accessible commands may contain their own authorization, so it is critical to effectively limit the file permissions on the server to reduce the attack surface. Folders and files in Linux have 3 levels of permissions, owner, group and anyone. It is particularly important to remove ‘anyone’ read and write permissions from all files possible, but even read and write permissions for files owned by the web-server application can be configured to limit the damage that can be done by a web-shell.
Conclusion
The most effective way to protect your website source code from attacks is to protect the access controls and maintain a hardened server configuration. Another important factor is working with developers and secure hosting providers who are honest and trustworthy. If you believe your website has been hacked, you can scan the source code files for commands such as the ones used in this tutorial, but since it’s very likely that the malware infecting your website is hidden using encoding or encryption, this approach will not provide an exhaustive search of malicious code injections. Most attackers too smart (and motivated) to simply add un-encoded source code which would allow threat hunters to search for and find it. We will discuss this topic more in Part 2.
You may instead use other 3rd party tools to find malware in your WordPress site. Some examples of WordPress security plugins that include malware scanning capability include:
* Securi plugin
* WordFence plugin
* BulletProof Security Plugin
The final tutorial in this series will demonstrate how to scan your site for malicious code and remove it using these tools. Also, check out this post about other critical ways you need to protect your WordPress and other website applications.